Reset Search
 

 

Article

How to set up a Cisco switch using A3

« Go Back

Information

 
TitleHow to set up a Cisco switch using A3
Symptoms
A3 is a vendor agnostic platform that supports many different wired and wireless platforms. This article will be looking at Cisco switches, specifically the 2960 model.

The Cisco 2960 supports Port-Security, Mac-Authentication Bypass (MAB), 802.1X, Web Authentication, downloadable ACLs and different combinations of each. This article will only focus on 802.1X and MAB, and will use a Cisco 2960, specifically a Catalyst WS-C2960-24-S running IOS 15-2 SE9 (Lanlitek9).

Note: There are a lot of different versions of the Catalyst 2960. Some of them may not accept the command stated in this guide for 802.1X.

Note: Don't use any port-security features when doing 802.1X and/or Mac Authentication. This can cause unexpected behavior.

Note: Not all features are supported in every IOS release, please test before deploying in a live environment.

Environment
Related terms:
Connecting a Cisco switch to A3
Managing a Cisco switch in A3
Using Aerohive Secure Network Access solution to manage cisco switches
Cause
Resolution

Confirm the switch has some basic config.

- SSH enabled
- NTP
- Hostname
- Domain Name and management IP address.
 

Setting up the Cisco Switch (global settings)

First, run the following commands on the Cisco switch:

dot1x system-auth-control

aaa new-model

aaa group server radius A3

 server name A3-nac

aaa authentication login default local

aaa authentication dot1x default group A3

aaa authorization network default group A3

 

When a device is connected, it doesn't show the device connected to the switchport as online in A3. Running the following commands will resolve this:

aaa accounting network default start-stop group A3

aaa accounting identity default start-stop group A3

aaa accounting dot1x default start-stop group A3

 

RADIUS server configuration, this is how the switch is able to talk to A3

radius server A3-nac

  address ipv4 <A3 VIP> auth-port 1812 acct-port 1813

  automate-tester username dummy ignore-acct-port idle-time 3

  key 0 <a strong password>

radius-server vsa send authentication

 

CoA configuration, this will enable VLAN switching to happen (match the IP address and password from the previous step).

aaa server radius dynamic-author

 client  <A3 VIP> server-key <a strong password>

 port 3799

 

Activate SNMP on the switch:

snmp-server community public RO

 

Now that the global configuration has been completed, look at the configuration on the individual port. There are a few options here depending on the setup and requirements. It is possible to setup 802.1X with MAB, this is for multi-domain deployments or where one might have multiple hosts connecting to the switch. It is also possible to setup MAB only. Instructions per method are below:

 

MAC Authentication bypass only

On each interface configure the following:

switchport mode access

switchport voice vlan 100

dot1x mac-auth-bypass

dot1x pae authenticator

dot1x port-control auto

dot1x timeout tx-period 5

dot1x reauthentication

authentication periodic

authentication timer restart 10800

authentication timer reauthenticate 7200

authentication violation replace

mab

no snmp trap link-status

 

802.1X with MAC Authentication bypass (MultiHost)

On each interface configure the following:

switchport mode access

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer restart 10800

authentication timer reauthenticate 7200

authentication violation replace

mab

no snmp trap link-status

dot1x pae authenticator

dot1x timeout quiet-period 2

dot1x timeout tx-period 3

 

802.1X with MAC Authentication bypass (MultiDomain)

switchport mode access

switchport voice vlan 100

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer restart 10800

authentication timer reauthenticate 10800

authentication violation replace

mab

no snmp trap link-status

dot1x pae authenticator

dot1x timeout quiet-period 2

dot1x timeout tx-period 3

 

A3 Configuration

Add a Network Device by going to Configuration>Policy>Devices>Add Network device, to allow the switch to communicate with A3.

 

 

From the add device drop down menu, select the default group. If you are rolling out many devices, it might make sense to create a device group.

Inside the Device>Definition, select Cisco Catalyst 2960 from the dropdown. Everything else can be left to default, just ensure Use CoA is enabled.

 

Go to the section Devices>Roles, here enable Role by VLAN ID.

 

This is the mode that is supported on the Cisco switches, to return a different VLAN based on the username to role mapping.

 

Finally, enable the switch and A3 to communicate.

Click save.

 

Configure the Connection Profile. This can be configured under Configuration>Policy>Connection Profile.

 

Add a new profile, give it a name and relevant description.

 

Make sure the profile is enabled and that automatically register devices is enabled too.

Note: This is for wired 802.1X, it would be good to setup a profile for MAC auth also. This will likely not automatically register devices as the devices should go through the registration process.

Apply the filters that make sense for the deployment, for example matching an Ethernet-EAP exchange.

Select the authentication source to map the connecting user to a role (Trusted-User) that applies VLAN 100.

Note: If  Windows PC is in use, ensure the following service is enabled: “Wired AutoConfigâ€� (this can be enabled by GPO for a mass rollout). There are many guides and videos on the internet - https://www.google.co.uk/search?q=wired+autoconfig+windows+10&safe=off&source=lnms&tbm=vid&sa=X&ved=0ahUKEwjlr9missfgAhUN2OAKHV5BDqkQ_AUIESgE&biw=1680&bih=859&dpr=2

Note: Nothing has been covered around certificate requirements when using EAP-PEAP or EAP-TLS for example. Please ensure that the Microsofts recommendations are followed; there are many guides online. (https://support.microsoft.com/en-gb/help/814394/certificate-requirements-when-you-use-eap-tls-or-peap-with-eap-tls)

 

A view from the switch (terminal monitor)

Feb  6 14:16:29.704: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

Feb  6 14:16:30.710: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

Feb  6 14:16:34.376: %DOT1X-5-SUCCESS: Authentication successful for client (685b.3596.dffc) on Interface Fa0/1 AuditSessionID AC1000640000003200D13E2D

Feb 6 14:16:34.376: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (685b.3596.dffc) on Interface Fa0/1 AuditSessionID AC1000640000003200D13E2D

Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255